I've been running a Linux router with host-to-LAN OpenVPN for quite a few years, without issues, but now my client had to rebuild their machine, and they lost their config and PEM files. I've sent them a backup of the initial setup and re-exported their PEMs, but they are having a problem:
client log
Thu Jan 13 12:12:12 2022 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Sep 26 2017
Thu Jan 13 12:12:12 2022 Windows version 5.1 (Windows XP) 32bit
Thu Jan 13 12:12:12 2022 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Thu Jan 13 12:12:12 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25347
Thu Jan 13 12:12:12 2022 Need hold release from management interface, waiting...
Thu Jan 13 12:12:12 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25347
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'state on'
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'log all on'
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'hold off'
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'hold release'
Thu Jan 13 12:12:31 2022 MANAGEMENT: CMD 'username "Auth" "vpnuser0"'
Thu Jan 13 12:12:31 2022 MANAGEMENT: CMD 'password [...]'
Thu Jan 13 12:12:31 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Jan 13 12:12:32 2022 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jan 13 12:12:32 2022 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:1194 [nonblock]
Thu Jan 13 12:12:32 2022 MANAGEMENT: >STATE:1642065152,TCP_CONNECT,,,
Thu Jan 13 12:12:33 2022 TCP connection established with [AF_INET]xx.xx.xx.xx:1194
Thu Jan 13 12:12:33 2022 TCPv4_CLIENT link local: [undef]
Thu Jan 13 12:12:33 2022 TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1194
Thu Jan 13 12:12:33 2022 MANAGEMENT: >STATE:1642065153,WAIT,,,
Thu Jan 13 12:12:33 2022 MANAGEMENT: >STATE:1642065153,AUTH,,,
Thu Jan 13 12:12:33 2022 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=dc7d9a9f 7fb294cf
Thu Jan 13 12:12:33 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 13 12:12:36 2022 VERIFY OK: depth=1, C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA, emailAddress=Fulvio.Ricciardi@zeroshell.net
Thu Jan 13 12:12:36 2022 VERIFY OK: depth=0, OU=Hosts, CN=router.xxxxxxx.xx
Thu Jan 13 12:12:38 2022 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Thu Jan 13 12:12:38 2022 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1576'
Thu Jan 13 12:12:38 2022 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Thu Jan 13 12:12:38 2022 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 13 12:12:38 2022 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Jan 13 12:12:38 2022 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 13 12:12:38 2022 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 13 12:12:38 2022 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Jan 13 12:12:38 2022 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 13 12:12:38 2022 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Jan 13 12:12:38 2022 [router.xxxxxxx.xx] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Thu Jan 13 12:12:39 2022 MANAGEMENT: >STATE:1642065159,GET_CONFIG,,,
Thu Jan 13 12:12:40 2022 SENT CONTROL [router.xxxxxxx.xx]: 'PUSH_REQUEST' (status=1)
Thu Jan 13 12:12:41 2022 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.250.254,,dhcp-option DNS 192.168.250.254,route remote_host 255.255.255.255 net_gateway 1,route 10.10.10.2 255.255.255.255,ping 5,ping-restart 60,ifconfig 192.168.250.50 255.255.255.0'
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: route options modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: route-related options modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 13 12:12:41 2022 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Thu Jan 13 12:12:41 2022 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=2 HWADDR=00:0c:29:d1:7c:c9
Thu Jan 13 12:12:41 2022 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jan 13 12:12:41 2022 MANAGEMENT: >STATE:1642065161,ASSIGN_IP,,192.168.250.50,
Thu Jan 13 12:12:41 2022 MANAGEMENT: Client disconnected
Thu Jan 13 12:12:41 2022 There is a problem in your selection of --ifconfig endpoints [local=192.168.250.50, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
Thu Jan 13 12:12:41 2022 Exiting due to fatal error
Here is the config:
client conf
remote xx.xx.xx.xx 1194
proto tcp
auth-user-pass
ca CA.pem
cert client.pem
key client.pem
comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun
The VPN on the server side uses the IP range 192.168.250.50 - 192.168.250.55, netmask 255.255.255.0, GW 192.168.250.254.
What am I doing wrong with this client's config, this time?
Thank you!